Provisioning LDAP roles from SIM

SIM Experts:
I am trying to provision LDAP roles from SIM into our local IPlanet/Sun DS LDAP instance.
When I created the resource in SIM, I noticed it didnt rope in the built in roles from our LDAP instance, just as it did LDAP groups.
I tried to circumvent this by :
1. Creating individual Role_<> attribute entries in the LDAP resource schema which in turn get mapped to 'nsRoleDN' from LDAP.
2. Create 'Roles' in SIM mapped to the LDAP resource and set attribute values for the 'Role_<>' attributes (added earlier to the schema mapping) like -
Role_auditor : cn=Auditor,dc=example,dc=com
The hitch with this approach is if I add multiple roles to the account (during creation), only the last role gets added .. in other words, I see only 1 'nsroleDN'' entry.
I do not know if this the right approach, but could someone suggest a better alternative, if there is one.
Thanks in advance,
apn.

Answered here: http://forum.java.sun.com/thread.jspa?threadID=5247269&tstart=30
... although, as indicated getRoles should return a list of Role names as well... If you create a variable in the workflow and populate it with this call... it should be a List. [item1,item2,item3] may just be the trace representation of a list.

Similar Messages

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • Automatic upload of roles from ECC to portal (UME with LDAP)

    Hi experts,
    This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
    However, it concerns this time "UME with LDAP".
    Problematic :
    SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
    Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
    Questions :
    1 - Did anyone ever try to implement such an automatic tool ?
    2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
    Many thanks for your inputs
    Alexis MARTIN

    Hello,
    As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
    We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
    First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
    However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
    When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
    Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
    Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
    Oliver

  • Error Provisioning the Federated roles from CUP to enterprise portal

    Hi Gurus,
    Need help. I am trying to provision the roles to enterprise portal using GRC CUP. I have created the connectors and field mapping and the connection is successful. We have a enterprise portal with producer consumer relation ship. The Enterprise portal acts as consumer for the BI portal. The BI portal Roles are federated to Enterprise portal and i get an error "noSuchIdentifier" when I try to provision the federated BI Portal role on the Enterprise portal. I can successfully provision the local portal roles and UME roles on the enterprise portal. I get the error only when trying to provision the roles which are from BI portal.
    Appreciate any help, in this regards.
    Thanks,
    Pavan

    Hi Alma,
    This is one of the security issue.We had faced it sometime back.We searched some CSN's and found a solution.
    Go to Service Market palce and download the latest Cryptographic Tool kit (Service Market place---->software downloads)
    You will get a sca/sda something like tc/iaik./security(something like this)
    Deploy this on to your instance using your SDM.
    After that,Restart the Portal patching.It will go fine.
    reward points if helpful................

  • Fetching ROLES from LDAP

    Hi Experts,
    I need to fetch roles assigned to a user from LDAP. The requirement is such that I need to put the USERID in a search box and on the basis of the USERID, I need to fetch all the roles from LDAP that are assigned to that USERID.
    Any code snippets, links will be appreciated.
    Thanx
    Bhardwaj

    <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2073">Check this blog by Prakash Singh</a>

  • In ldap how doe you get your role from your session.

    i am getting the role from the request in ldap how do you get it from the from the session.
    <%if(request.isUserInRole("management")){%>                                                                                                                                                                                                                                                                                       

    Hi,
    who writes it to the session and which attribute name is used ?
    Frank

  • How do get the role from ldap session.

    i am using the follwing getting the role from the request in openldap and j_security_check:
    f(request.isUserInRole("manager")){
    how can i use this in the session:

    You might wanna change permissions for that attribute ...
    Change it from Admin to OWNER and you should be able to then get it for any user ...
    HTH ..

  • Provisioning EP roles and user groups through CUP

    Hello experts,
    I am configuring EP provisioning through CUP.
    I created the EP connector as per the instructions in the config guide. But I have not added any parameter values or did any field mapping. I have imported necessary Portal roles.
    My EP connector is tested successful. But when I try to provision a role through CUP, I get this error:
    Error processing your request, Request no: 4 in stage : NEW_AS11.
    In the log it shows,  Field Mapping is not set for Application  (EP)
    But when I go to field mapping, I get this error for EP.
    Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    I could not find much documentation on fieldmapping.
    Are there any steps that I am missing for EP provisioning?
    Thanks in advance..
    Kee

    Thanks for your response.
    I have set up the parameters while setting up the EP connector in CUP.
    My role search URI is correct  but I am not sure about the last three parameters...
    ASSIGN_GROUPS:OC sapgroup
    ASSIGN_ROLES:OC saprole
    CHANGE_USER:OC sapuser
    CREATE_USER:OC sapuser
    CREATE_USER:password password
    DELETE_USER:OC sapuser
    LOCK_USER:OC sapuser
    LOCK_USER:islocked true
    RESET_PASSWORD:OC sapuser
    RESET_PASSWORD:password password
    ROLESEARCH_URI -  http://portalserver name:port number/UserRoleSearchForAEService_5_3/Config1?wsdl&style=document
    ROLESEARCH_URI_USERNAME -  same user Id I provided for the connector
    ROLESEARCH_URI_PASSWORD See your system administrator for the value.
    UNLOCK_USER:OC Sapuser
    UNLOCK_USER:islocked false
    ROLE_DATA_SOURCE -- ROLE.UME_ROLE_PERSISTENCE.un:   ??? What  is the role data source?? Is the value that is  provided is correct for the UME roles
    SCHEMA_ID SAPprincipals   ?? What does this Schema Id mean???
    USER_DATA_SOURCE  ????  Should we mention the user data source on the Portal system. In our case, it is the LDAP. But what would be the corresponding parameter value for LDAP.
    So when I go to field mapping to create one for EP, I get the following error:
    Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    Log Details:
    2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR Error in gettting Field Def
    com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
         at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
         at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
         ... 25 more
    Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
         ... 28 more
    Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.XMLParser.scanAttValue(XMLParser.java:1403)
         at com.sap.engine.lib.xml.parser.XMLParser.scanAttList(XMLParser.java:1577)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1712)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
         at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
         at com.sap.engine.lib.xml.parser.XMLParser.scanDocument(XMLParser.java:2845)
         at com.sap.engine.lib.xml.parser.XMLParser.parse0(XMLParser.java:231)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parseAndCatchException(AbstractXMLParser.java:145)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:160)
         at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:261)
         at com.sap.engine.lib.xml.parser.Parser.parseWithoutSchemaValidationProcessing(Parser.java:280)
         at com.sap.engine.lib.xml.parser.Parser.parse(Parser.java:342)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:101)
         ... 31 more
    2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
    com.virsa.ae.core.BOException: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:134)
         at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
         at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
         ... 22 more
    Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
         at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
         at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
         ... 25 more
    Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
         at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
         at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
         ... 28 more
    Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
    Appreciate your response.
    Thanks
    Kee

  • Changing LDAP System from AD to ADAM in CUCM 7.1.5

    Hello Guys,
    First time poster here, so be gentle...
    We have a query regarding LDAP Synchronisation in CUCM 7.1.5.
    A brief background :
    Our CUCM environment has expanded since we first put it in a couple of years ago. We originally had, and continue to have, a single LDAP System configured on CUCM for only one of our AD forests. 
    We have a multi-forest AD environment, with us rolling out more and more CUCM enabled sites from our differing AD forests.
    1 x CUCM 7.1.5 Pub (+ 2 x Subs)
    1 x Presence
    1 x MP
    1 x UCCX
    1 x Unity Connection
    3 x Unity
    We are building an AD LDS (ADAM) server to enable our multi-forest integration and LDAP synchronisation from CUCM. This is built based of this Cisco doco :
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b2b103.shtml
    Our question :
    Changing the CUCM LDAP System (and thus also changing the LDAP Directory and Authentication)
    From : "Microsoft Active Directory"
    To : "Microsoft Acive Directory Application Mode" (ADAM)
    AND : After running the first CUCM sync with the new ADAM server.
    What impact will this have on the existing user accounts in CUCM (in terms of their Associated Devices and their Permissions Groups and Roles)?
    Will they be overwritten and thus the above fields be blank? Leaving us having to manually add all that back in to our existing user base.
    Or, (which we feel is most likely), will there be duplicate accounts created in CUCM?
    The reason we feel there will be duplicates is due to the nature of multi-forest deployments and the issue of having the same usernames in two or more forests. All authentication requests must be performed using their User Principal Name (UPN), such as [email protected], rather than the standard way of just using your userid : jdoe
    Sorry for the long winded query.
    Appreciate any thoughts/opinions on this.
    Cheers,
    Rick.

    Rick,
    I haven't done this myself, so keep that in mind. As you say, be gentle.
    Putting ADAM aside for the moment, in an LDAP sync configuration when you establish a sync agreement the CUCM does the following:
    1. All user objects in the CUCM db are marked inactive
    2. CUCM begins sync'ng with LDAP
    3. For each user object learned from LDAP: The LDAP attribute chosen to map to the user ID in CUCM is compared to existing CUCM user objects.
    - If a match is found, the account is activated
    - attributes for first name, last name, telephoneNumber, etc. are then overwritten with the LDAP values (based on attribute mappings)
    4. After the sync completes, any CUCM user object that did not have a LDAP object with the same user ID are still marked inactive. These objects will be purged during the next clean up interval
    To give an example, I had a project where the customer was doing an upgrade from 4.1 to 7.1(3). As part of the upgrade, user objects were moved over to CUCM 7.1(3). Then we enabled LDAP sync. User objects were not deleted, nor were there duplicates. Configurations such as device associations were unaffected. The only thing we needed to do was check the CUCM user DB against LDAP user objects (running scripts against both) to find any mismatches between sAMAccountName and the CUCM user ID.
    Assuming the sync process and behavior for activating/deactivating accounts is the same with an ADAM integration, then I wouldn't expect you to have an issue.
    HTH.
    Regards,
    Bill

  • Use GRAC_USER_ACCES_WS to provision Business Role

    I have situation where I need to provision several hundred users across 90 business roles. I have been experimenting with FM GRAC_IDM_USR_ACCS_REQ_SERVICES (underlying FM for enterprice service GRAC_USER_ACCES_WS) to automate mass provisioning using GRC access requests. I figured out how to use the FM to provision technical roles to users but cannot get it to work for GRC Business Roles.
    If the service cannot provision business roles, that would imply that an IdM would also not be able to do so. We are currently looking at IdM (non-SAP) solutions. Now I wonder if the value of business roles we are building will be diminished if an IdM is used.
    Is it possible to provision business roles using the service and/or FM? If so, any details on the input values required would be much appreciated.

    Hi Harinam,
    Thanks for the details. I have already raised a OSS message to SAP.
    I have implemented SAP note 1930923 in GRC sandbox system and can see that the mail issue I am reporting was no longer appearing. But I have seen new one this time
    After note implementation: (Change Account Request Type with Business Role Assignment)
    Hi GRC User Demo 1 (Z_GRAC_USER1),
    The Request number : 592 , has been processed and the Request is Closed. The details are as follows:
    XX Business role assigned to Z_GRAC_USER1
    Kind regards,
    Access Control Administrator
    Before and After note implementation: (Change Account Request Type with Business Role removal)
    Hi GRC User Demo 1 (Z_GRAC_USER9),
    The Request number : 593 , has been processed and the Request is Closed. The details are as follows:
    YY Role removed from Z_GRAC_USER9 ( )
    Kind regards,
    Access Control Administrator
    Now the issue during role assignment is resolved, but during role removal mail notification says role has been removed from user and ends with empty brackets ().
    For single roles in this brackets it usually fills the system name. May be for business roles since there will not be any specific system it is coming empty, but I think SAP should fix this.
    Let me know if you are also facing the same
    Since you confirmed that you are using business roles, let me know any critical issues which you came across as part of SP13 as we are also on SP13 and could be helpful.
    Thanks once again for taking your time in replying for my issue.
    Regards,
    Sai.

  • Create Business role from workflow

    We have problem crating a Business role from workflo in SIM 8.1.0.7. Especially we can not set PrimaryObjectGroup of the newly crated role.
    Is there a way to set this parameter or to set the type of the tole to be Business Role not ITrole.
    Here is the code for the creation
    <set name='roleObject'>
    <new class='com.waveset.object.Role'>
    </new>
    </set>
    <invoke name='setName'>
    <ref>roleObject</ref>
    <s>role1</s>
    </invoke>
    <invoke name='setAuthType'>
    <ref>roleObject</ref>
    <s>BusinessRole</s>
    </invoke>
    <invoke name='setDescription'>
    <ref>roleObject</ref>
    <s>Test</s>
    </invoke>

    I was able to create the role by this code:
    <set name="rolesvar">
    <invoke name='getObject' class='com.waveset.ui.FormUtil'>
    <select>
    <ref>:display.session</ref>
    <ref>context</ref>
    <invoke name='getLighthouseContext'>
    <ref>WF_CONTEXT</ref>
    </invoke>
    </select>
    <s>Role</s>
    <s>Template</s>
    </invoke>
    </set>
    <set name='roleObject'>
    <new class='com.waveset.object.Role'>
    <invoke name='getPrimaryObjectClass'>
    <ref>rolesvar</ref>
    </invoke>
    </new> </set>
    <invoke name='setName'>
    <ref>roleObject</ref>
    <s>BusinesRole1</s>
    </invoke>
    <invoke name='setAuthType'>
    <ref>roleObject</ref>
    <s>BusinessRole</s>
    </invoke>
    <invoke name='setDescription'>
    <ref>roleObject</ref>
    <s>Test Business Role</s>
    </invoke>
    <invoke name='setMemberObjectGroupRef'>
    <ref>roleObject</ref>
    <invoke name='getObjectGroupRef' class='com.waveset.object.ObjectGroup'>
    <select>
    <ref>:display.session</ref>
    <ref>context</ref>
    <invoke name='getLighthouseContext'>
    <ref>WF_CONTEXT</ref>
    </invoke>
    </select>
    <s>Org1</s>
    </invoke>
    </invoke>
    But there Template is a real object which have to be created.Is there a static method for geting an objectClass variable and passing it as an argument to the constructor ??
    Edited by: piaggio100 on 2011-10-20 16:13

  • BPM11g-LDAP Roles

    Hi All,
    I am stuck with the following issue.
    I am using Jdeveloper 11.1.1.3.0 for BPM 11g implementation on Sales Application.
    I have Weblogic Server 10.3.3 Installed and configured the domain. Also the server is up and running.
    In Jdeveloper from BPM Project Navigator I am using my Sales.bpmn process with complete flow, simulation
    and implementation. When I open the Organization from BPM Project Navigator. In Organization my created roles
    are Approvers, Business Practices, Contracts and Sales Rep. from the IDE connections I created my weblogic
    application server connection and tested showing all the 9 connections successful.
    In the Identity lookup I select the newly created My weblogic application server connection, which displays
    the next Realm field as jazn.com which in the search pattern of lookup displays only weblogic and system user.
    At this point I need the pre-seeded LDAP roles as (jcooper, cdickens, jstein, wfaulk and others) to be displayed
    in the users list.
    My query is how we use the pre-seeded roles in the LDAP of the Oracle Weblogic Server installed.
    How do I add the pre-seeded roles in the LDAP of Oracle Weblogic Server ?
    Awaiting quick response.
    Regards
    Ajaz Ahmed

    Hi Ravi,
    Thanks a lot for your suggestion. I was able to create the LDAP users as roles and could see them in jazn.com lookup.
    I have another issue now. I successfully deployed my process, without any errors and warnings, Build was successful. Deployment was finished as
    [05:08:56 PM] /workflow/EnterQuotUILab
    [05:08:56 PM] /workflow/BusinessPracticesReviewUILab
    [05:08:56 PM] /workflow/ApproveTermsUILab
    [05:08:56 PM] /workflow/ApproveDealUILab
    [05:08:56 PM] /workflow/FinalizeContractsUILab
    [05:08:56 PM] Elapsed time for deployment: 1 minute, 56 seconds
    [05:08:56 PM] ---- Deployment finished. ----
    When I am logging in BPM workspace with URL as
    http://localhost:7001/bpm/workspace
    On the Upper left of the Applications Area, I can see the link as [QuoteProcessLab] RequestQuoteLab v1.0
    when clicked on the just completed application I get the following error popped up as
    Cannot create instance in process
    'default/QuoteProcessLab!1.1*soa_80....b/RequestQuoteLab'.
    Please correct me where I am wrong. How the Instance Process is created after successful deployment of application.
    Please Advice.
    Regards
    Ajaz Ahmed

  • Remove role from user

    HI how do i remove a role from a user when he id terminated or disabled.
    I am assigning a role in the following way during creation with the help of a rule
    <setvar name='newuser.waveset.roles'>
    <filterdup>
    <appendAll>
    <ref>accounts[Lighthouse].roles</ref>
    <s>General-Provision-Role</s>
    <rule name='Get Location Role'>
    <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
    </rule>
    </appendAll>
    </filterdup>
    </setvar>
    How do I remove this role when termination of user.

    We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
    There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
    You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
    Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
    Thanks
    Sandipan

  • Provisioning with roles

    Question for everyone. We are switching over some of our code base to do resource assignment with roles. Previously this was done through our workflow. I have a few basic (I hope) questions about resource provisioning with roles.
    1. I assume that the account doesn't get actually provisioned until a provisioning service is called right? Just the assignment of the role itself doesn't kick off a provisioning service?
    2. Do you advise setting attributes within the role itself either through a rule or static variable. The reason I ask this is because we have several attributes that get set only when we are going to provision that resource. They are globals for the most part. A perfect example of this would be the domain account ID. We are still trying to set the attributes in the workflow and it seems that this is giving us some headaches.
    Thanks!

    Hi,
    Once a role is assigned to a user the provisioning workflow is not commenced until those changes are saved. If you use the administrator interface you must first edit the user, then assign a role, save the changes and commit those changes either via the 'Save' or 'Save in backgound' buttons. On the changes are committed then the workflow will provision the user in the resources as defined in the role.
    It is advisable to use the attribute setting within the role rather than the workflow. You can however call rules from within the role to provide a greater level of flexability if that is required. See [Understanding and Managing Roles|http://docs.sun.com/source/820-2954/IDM_admin_roles-and-resources.html#wp1081754] for more information
    Hope this helps

  • How to get the Role from a process

    Hi,
    I have a process where I have different role panes with human intervention activities. Each human intervention invokes a screenflow.
    Is there any method by which I can get the role pane from which an intance is generated
    For e.g. in process P1, I have 3 different role panes i.e. R1, R2, R3. Suppose there is an human intervention activity A3 in R3. It invokes a screenflow in which there are different methods. I want to get the roleId here i.e. R3.
    Through creation data I can know the instance creator i.e. participant ID, but a participant can have more than one role. I want to get the role from which the Human Intervention activity is invoked.
    Please suggest / help.
    Thanks
    Jayant

    Hey Thanks a tonn
    It works fine by the following code
    role = Activity.role
    logMessage "message"
    logMessage "Role: " + role.name
    role.id returns an int, so I used role.name
    Thanks and Regards
    Jayant

Maybe you are looking for

  • Sending mail to agent at run time determination

    hi all i have a problem sending mail to the person who has been identified on runtime basis. scenario is that i have created a custome rule to determine the person (partner function) on run time basis but problem is that i need to send only mail to t

  • Application translation

    Hello everybody. I want to translate an application from German into English. I have done the following steps: #1 Map your primary language application to a translated application #2 Seed and export the translation text of your application into a tra

  • So its going back for the whine, interestering note.

    I had a few issues that the guy took down and supposedly input into the report on my problem, static on boot up, heat related crashing, techtools deluxe failing the video ram test. Anyways I just reade my confirmation email. and it says Problem Descr

  • Install hangs at 67% file expansion

    I have a brand new Macbook Pro, Retina display.  For business I need to install Windows, and prefer Windows 7.  I purchased a download with ISO image.  Followed the Boot Camp instructions which worked very well until I got to the install screen "Expa

  • Can't I download purchased apps again?

    I bought many apps. My touch died, changed PC. Now I'm thinking to get touch again. I went to my account in iTunes to see if I can get apps I bought in other PC but it seems not. Is there a way to get the purchased apps again?